EDPB数据跨境传输补充措施的最终建议-中英文对照版本

背景

大家可能都对欧盟《通用数据保护规范》（GDPR）有些了解，近些年来欧盟内基于GDPR出现了很多的个人数据保护方面的案件与判例，也就是在昨天7.30号，欧盟初步决定判处亚马逊因违反欧盟通用数据保护条例(GDPR)，被欧盟隐私监管机构处以7.46亿欧元(约合8.88亿美元)罚款。据悉，这是自2018年5月欧盟GDPR规则生效以来，迄今为止最大的一笔罚款。

这个法案随时间发展也在不断得到各种补充解释。本文正是基于EDPB于2021.6公布的《数据跨境传输补充措施的最终建议》，翻译得到的中英对照版本。相信对于公司业务涉及到公司位于EEA境内或需要为其境内用户提供服务的企业来说，本文件都会是比较重要的参考材料。

本文件中针对跨境进行个人数据的转移活动，提供了准确而细致的操作指导，参见下图目录。

Executive summary 执行提要

The EU General Data Protection Regulation (GDPR) was adopted to serve a dual-purpose: facilitating the free flow of personal data within the European Union, while preserving the fundamental rights and freedoms of individuals, in particular their right to the protection of personal data.

欧盟《通用数据保护条例》（GDPR）的通过是为了达到双重目的：促进个人数据在欧盟内部的自由流动，同时维护个人的基本权利和自由，特别是他们保护个人数据的权利。

In its recent judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) reminds us that the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes. Transferring personal data to third countries cannot be a means to undermine or water down the protection it is afforded in the EEA. The Court also asserts this by clarifying that the level of protection in third countries does not need to be identical to that guaranteed within the EEA but essentially equivalent. The Court also upholds the validity of standard contractual clauses, as a transfer tool that may serve to ensure contractually an essentially equivalent level of protection for data transferred to third countries.

欧盟法院（CJEU）在其最近的第C-311/18号判决（Schrems II）中提醒我们，在欧洲经济区（EEA）对个人数据的保护必须跟随数据的转移。将个人数据转移到第三国不能成为破坏或削弱其在欧洲经济区所受保护的手段。该法院还澄清，第三国的保护水平不需要与欧洲经济区内的保护水平相同，但要基本等同。法院还支持标准合同条款的有效性，认为这是一种可用来确保在合同上对转移给第三国的数据提供基本上同等保护的数据传输措施。

Standard contractual clauses and other transfer tools mentioned under Article 46 GDPR do not operate in a vacuum. The Court states that controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In those cases, the Court still leaves open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law. The Court does not specify which measures these could be. However, the Court underlines that exporters will need to identify them on a case-by-case basis. This is in line with the principle of accountability of Article 5.2 GDPR, which requires controllers to be responsible for, and be able to demonstrate compliance with the GDPR principles relating to processing of personal data.

标准合同条款和GDPR第46条提及的其他数据传输工具并非是在“真空”中运作的。法院指出，如果第三国的法律或惯例影响到GDPR第46条转移工具中所载的适当保障措施的有效性，那么作为出口方的控制者或处理者有责任逐案核实，并在适当情况下与第三国的进口方合作。在这些案件中，法院仍然为出口方提供了实施补充措施的可能性，以填补这些保护措施的空白，以使其达到欧盟法律要求的水平。法院没有具体说明这些措施是哪些。不过，法院强调，出口方将需要根据具体情况加以识别。这符合GDPR第5.2条的责任原则，该原则要求控制者负责并能够证明遵守了GDPR有关个人数据处理的原则。

To help exporters (be they controllers or processors, private entities or public bodies, processing personal data within the scope of application of the GDPR) with the complex task of assessing third countries and identifying appropriate supplementary measures where needed, the European Data Protection Board (EDPB) has adopted these recommendations. These recommendations provide exporters with a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place.

为帮助出口方（无论是控制者或处理者、私营实体或公共机构，在GDPR政策适用范围内处理个人数据）完成评估第三国和在必要时确定适当补充措施的复杂任务，欧洲数据保护委员会（EDPB）采纳了这些建议。这些建议为出口方提供了一系列可采取的步骤、潜在的信息来源以及一些可实施的补充措施的例子。

As a first step, the EDPB advises you, exporters, to know your transfers. Mapping all transfers of personal data to third countries can be a difficult exercise. Being aware of where the personal data goes is however necessary to ensure that it is afforded an essentially equivalent level of protection wherever it is processed. You must also verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

第一步，EDPB建议你们（出口方）了解你们的数据转移情况。绘制所有的个人数据传输到第三国的数据地图可能是一项困难的工作。然而，了解个人数据的去向是必要的，以确保无论在何处处理个人数据时，都能获得实质上同等程度的保护。您还必须确认您转移的数据是充分的、相关的，并且仅限于处理目的相关的必要内容。

A second step is to verify the transfer tool your transfer relies on, amongst those listed under Chapter V GDPR. If the European Commission has already declared the country, region or sector to which you are transferring the data as adequate, through one of its adequacy decisions under Article 45 GDPR or under the previous Directive 95/46 as long as the decision is still in force, you will not need to take any further steps, other than monitoring that the adequacy decision remains valid. In the absence of an adequacy decision, you need to rely on one of the transfer tools listed under Articles 46 GDPR. Only in some cases you may be able to rely on one of the derogations provided for in Article 49 GDPR if you meet the conditions. Derogations cannot become “the rule” in practice, but need to be restricted to specific situations.

第二步，在GDPR第五章列出的工具中，核实您的数据转移所依赖的转移工具。如果欧盟委员会已经通过其根据GDPR第45条或之前的第95/46号指令作出的一项充分性决定，宣布您将数据传输到的国家、地区或部门是符合充分性认定的，则只要该决定仍然有效，您就无需采取任何进一步的措施，除了监控充分性决策是否仍然有效。在没有充分性认定的情况下，您需要依赖GDPR第46条所列的转移工具之一。只有在某些情况下，如果您符合条件，您才能依赖GDPR第49条规定的减免条款之一。减免条款不能成为实践中的“规则”，而需要局限于具体的情况。

A third step is to assess if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer. Your assessment should be focused first and foremost on third country legislation that is relevant to your transfer and the Article 46 GDPR transfer tool you are relying on. Examining also the practices of the third country’s public authorities will allow you to verify if the safeguards contained in the transfer tool can ensure, in practice, the effective protection of the personal data transferred. Examining these practices will be especially relevant for your assessment where:
(i) legislation in the third country formally meeting EU standards is manifestly not applied/complied with in practice;
(ii) there are practices incompatible with the commitments of the transfer tool where relevant legislation in the third country is lacking;
(iii) your transferred data and/or importer fall or might fall within the scope of problematic legislation (i.e. impinging on the transfer tool’s contractual guarantee of an essentially equivalent level of protection and not meeting EU standards on fundamental rights, necessity and proportionality).

第三步，评估第三国现行法律和/或惯例中是否有任何内容可能影响你所依赖的转移工具在处理具体数据转移中适当保障措施的有效性。您的评估应首先关注与您的转移相关的第三国立法以及您所依赖的第46条GDPR转移工具。同时检查第三国公共当局的做法将使您能够核实转移工具中包含的保障措施是否能够在实践中确保有效保护所转移的个人数据。在以下情况下，审查这些实践将对您的评估尤为重要：
（i）第三国有符合欧盟标准的正式立法，但在实践中明显未应用/不遵守；
（ii）在第三国缺乏相关立法的情况下，存在不符合转移工具的承诺的做法；
（iii）您转移的数据和/或进口方，属于或可能属于有问题的立法范围（即，影响转移工具对基本同等保护水平的合同保证，不符合欧盟关于基本权利、必要性和相称性的标准）。

In the first two situations, you will have to suspend the transfer or implement adequate supplementary measures if you wish to proceed with it.

In the third situation, in light of uncertainties surrounding the potential application of problematic legislation to your transfer, you may decide to: suspend the transfer; implement supplementary measures to proceed with it; or alternatively, you may decide to proceed with the transfer without implementing supplementary measures if you consider and are able to demonstrate and document that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data and importer.

在前两种情况下，如果你想继续进行转移，你必须暂停转移或采取适当的补充措施。
在第三种情况下，鉴于有问题的立法可能适用于您的数据转移的不确定性，您可以决定：暂停转移；实施补充措施以继续进行传输；或者，如果您认为能够证明和记录，您没有理由相信相关和有问题的立法将被解释和/或实际应用，以涵盖您转移的数据和数据进口方，那么您可以决定继续进行转移而不实施补充措施。

For evaluating the elements to be taken into account when assessing the law of a third country dealing with access to data by public authorities for the purpose of surveillance, please refer to the EDPB European Essential Guarantees recommendations.

You should conduct this assessment with due diligence and document it thoroughly. Your competent supervisory and/or judicial authorities may request it and hold you accountable for any decision you take on that basis.

关于评估第三国处理公共当局为监控目的获取数据的法律时应考虑的因素，请参考EDPB欧洲基本保障的建议。
您应尽职尽责地进行这一评估，并将其完整记录在案。你的主管监督和/或司法当局可能会要求你这样做，并对你在此基础上作出的任何决定进行问责。

A fourth step is to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment reveals that the third country legislation and/or practices impinge on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer. These recommendations contain (in Annex 2) a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective.

第四步，确定并采取必要的补充措施，使所转移数据的保护水平达到欧盟基本等同标准。仅当您的评估显示第三国的立法和/或贯例影响到您在转移过程中所依赖的GDPR第46条转移工具的有效性时，才有必要执行此步骤。这些建议（在附件2中）中包含了关于补充措施的一个粗略清单，以及它们所需的一些有效条件。

As is the case for the appropriate safeguards contained in the Article 46 transfer tools, some supplementary measures may be effective in some countries, but not necessarily in others. You will be responsible for assessing their effectiveness in the context of the transfer, and in light of the third country law and practices and the transfer tool you are relying on, as you will be held accountable for any decision you take on that basis. This might also require you to combine several supplementary measures. You may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer. In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data. You should also conduct this assessment of supplementary measures with due diligence and document it.

与第46条转移工具中包含的适当保障措施一样，一些补充措施可能在一些国家有效，但在其他国家未必有效。你将负责根据第三国法律和惯例以及你所依赖的转移工具，评估数据转移的有效性。您将对你在此基础上作出的任何决定负责。这可能需要你结合使用几个补充措施。您也许最终会发现，没有任何补充措施可以确保您的特定数据转移获得实质上同等水平的保护。在没有合适的补充措施的情况下，您必须避免、暂停或终止转移，以避免损害个人数据的保护水平。您还应尽职调查并记录对补充措施的评估工作。

A fifth step is to take any formal procedural steps the adoption of your supplementary measure may require, depending on the Article 46 GDPR transfer tool you are relying on. These recommendations specify some of these formalities. You may need to consult your competent supervisory authorities on some of them.

The sixth and final step is to re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it. The principle of accountability requires continuous vigilance of the level of protection of personal data.

第五步，根据你所依赖的GDPR第46条转移工具，采取补充措施可能需要的任何正式程序步骤。在本建议中具体说明了其中的一些手续。您可能需要就其中一些问题咨询您的主管监管机构。
第六步，也是最后一步，是在适当的时间间隔内重新评估您转移到第三国的个人数据的保护水平，并监测是否已经或将会有任何可能产生影响的变化。问责原则要求对个人数据的保护水平持续保持警惕。

Supervisory authorities will continue exercising their mandate to monitor the application of the GDPR and enforce it. Supervisory authorities will pay due consideration to the actions exporters take to ensure that the data they transfer is afforded an essentially equivalent level of protection. As the Court recalls, supervisory authorities will suspend or prohibit data transfers in those cases where they find that an essentially equivalent level of protection cannot be ensured, following an investigation or a complaint.

Supervisory authorities will continue developing guidance for exporters and coordinating their actions in the EDPB to ensure consistency in the application of EU data protection law.

监管机构将继续履行其职责，监督GDPR的应用并予以执行。监管当局将适当考虑数据出口方采取的行动，以确保他们传输的数据得到基本同等水平的保护。正如法院回顾的那样，在调查或投诉后，如果监管当局发现无法确保基本同等程度的保护，那么将暂停或禁止数据转移。
监管机构将继续为数据出口方制定指导意见，并协调其在EDPB中的行动，以确保欧盟数据保护法应用的一致性。

下载《数据跨境传输补充措施的最终建议》中英对照版本的方法

本文件已上传至CSDN资源，可点击 链接 下载文档。

或者，您也可以通过 WPS共享文档 下载本文档。